Policy filter questions

How do you find the name of the default password domain policy for a given domain, and more importantly how do you find every user who is subject to the default domain policy, and every user who is exempt/filtered from it? If in ADUC can you provide some basic steps as I am still getting used to the tool.

Also, how do policy filters/exemptions work. Say for example you want a user to be subject to the default domain password policy around account lockout and password complexity, but you don’t want their password to expire, how do you ensure the user still is subject to the default domain policy, but essentially filters/overrides the password expiry setting when the default domain policy is applied to their account? Can you explain the mechanics?

I am not sure that is true though as our donain policy is a set number of characters, lockout after 10 failed attempts etc... However we have admin accounts with passwords less than 10 characters whose accounts don't expire

KCTS is right, in 2003 you cannot have more than one password policy, but this has been resolved in 2008, now called Fine Grained Password policy. Where you can create and apply it according to your requirement.

If in ADUC I create a new query, In "define query" it has a check box "Non expiring passwords". If I check that and run it, it returns around 200 users. If the domain policy says passwords will expire after 90p days, please explain why ADUC reports there are many accounts that do indeed have passwords that dont expire.

And also what about service, backup accounts whereby you wouldnt want an expiring password?

What about password length and account lockout, are there similar settings for these parameters whereby you can contrary to the domain policy around password length and account lockout - or is the only contrary option the password expiry parameter?

The link above that you didn't want to read explained the concept very well but in short the policy is the starting point. As it is not read-only amendments can be made by authorised users at the policy level itself or more granularly at the user level to make incidental changes such as change password at next logon, password never expires etc. However some cannot be controlled in any way other than at the domain level such as password length in 2003.

[b]Ok so now I will show you how to add a user name to the description at login. [/b]
First connect to your DC (Domain Controller / Active Directory Server)
SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME
1. Open Active …

This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller.
Log onto the new domain controller with a user account t…

This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource.
Use Google, Bing, or other preferred search engine to locate trusted NTP …